If HX509_CMS_VS_NO_KU_CHECK is set, allow more liberal search for matching certificates by not considering KeyUsage bits on the certificates.

If HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH, allow encapContentInfo mismatch with the oid in signedAttributes (or if no signedAttributes where use, pkcs7-data oid). This is only needed to work with broken CMS implementations that doesn't follow CMS signedAttributes rules.

If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the signing certificates and leave that up to the caller.

If HX509_CMS_VS_ALLOW_ZERO_SIGNER is set, allow empty SignerInfo (no signatures). If SignedData have no signatures, the function will return 0 with signer_certs set to NULL. Zero signers is allowed by the standard, but since its only useful in corner cases, it make into a flag that the caller have to turn on.

int hx509_cms_wrap_ContentInfo

(

const heim_oid *

oid,

const heim_octet_string *

buf,

heim_octet_string *

res

)

Wrap data and oid in a ContentInfo and encode it.

Parameters:

oid

type of the content.

buf

data to be wrapped. If a NULL pointer is passed in, the optional content field in the ContentInfo is not going be filled in.

res

the encoded buffer, the result should be freed with der_free_octet_string().